Open Access Open Access  Restricted Access Subscription Access

An Experimental Survey towards Engaging Trustable Hypervisor Log Evidence within a Cloud Forensic Environment


Affiliations
1 University of Technology, Kingston, Jamaica
 

In this survey paper the author explores the technical as well as high level conceptual trust issues that arise in acquiring log forensic evidence from the virtual machine (VM) hosted operating systems within the data clouds. This specific survey work is done at the University of Technology [UTECH], Jamaica, which currently functions as its own independent private data cloud provider. The data acquisition is particular to the hypervisor system logs that can be used to track VM incidences which are later used to compile potential evidence for a cloud investigation. This work also presents a model to show the layers of virtualization trust that can arguably be used to support the collection of such log evidence. The paper provides the context for the support of such cloud digital investigations and analyzes the choices available to a forensic investigator using proof of concept experiments. The experimental work is achieved by making a comparative evaluation of popular forensic acquisition tools including Guidance EnCase and AccessData Forensic Toolkit, as to how volatile and non-volatile hypervisor log data can be collected. Finally the paper explores three solutions for the managed log evidence data acquisition phase within a cloud investigation.

Keywords

Forensic, Log, Cloud, Trust, Hypervisor.
User
Notifications
Font Size

Abstract Views: 335

PDF Views: 167




  • An Experimental Survey towards Engaging Trustable Hypervisor Log Evidence within a Cloud Forensic Environment

Abstract Views: 335  |  PDF Views: 167

Authors

Sean Thorpe
University of Technology, Kingston, Jamaica

Abstract


In this survey paper the author explores the technical as well as high level conceptual trust issues that arise in acquiring log forensic evidence from the virtual machine (VM) hosted operating systems within the data clouds. This specific survey work is done at the University of Technology [UTECH], Jamaica, which currently functions as its own independent private data cloud provider. The data acquisition is particular to the hypervisor system logs that can be used to track VM incidences which are later used to compile potential evidence for a cloud investigation. This work also presents a model to show the layers of virtualization trust that can arguably be used to support the collection of such log evidence. The paper provides the context for the support of such cloud digital investigations and analyzes the choices available to a forensic investigator using proof of concept experiments. The experimental work is achieved by making a comparative evaluation of popular forensic acquisition tools including Guidance EnCase and AccessData Forensic Toolkit, as to how volatile and non-volatile hypervisor log data can be collected. Finally the paper explores three solutions for the managed log evidence data acquisition phase within a cloud investigation.

Keywords


Forensic, Log, Cloud, Trust, Hypervisor.